300,000+ users infected! Malicious browser extensions are spreading through fake downloads. Learn how to protect yourself from this sneaky malware.

Continue reading
Web browser extensions have evolved from niche software into a thriving sub-economy within the internet industry. Most browsers, including Microsoft Edge and Google Chrome, support extensions, offering hundreds of thousands of options in their respective stores. However, the rising popularity of extensions has also attracted bad actors, leading to a surge in malicious extensions that exploit this relatively new malware attack vector.
This Threatfeed aims to shed light on the broader issue of malicious web extensions, focusing on a specific ongoing threat.
The ReasonLabs Research Team has uncovered a new and widespread polymorphic malware campaign that forcibly installs extensions on user devices.
This Trojan malware, which has been active since 2021, employs various tactics, ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions designed to steal private data and execute arbitrary commands. The malware originates from deceptive download websites that mimic legitimate sources, offering add-ons for popular online games and videos.
The reach of this malware is extensive, with at least 300,000 users across Google Chrome and Microsoft Edge impacted.
The malware campaign begins with seemingly innocuous downloads from fake websites that impersonate legitimate platforms like Roblox FPS Unlocker, YouTube, VLC, or KeePass.
These websites distribute Trojan installers that, instead of installing the desired software, register scheduled tasks with misleading names (e.g., Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, NvOptimizerTaskUpdater_V2).
These tasks execute PowerShell scripts that download and run malicious payloads directly into memory, often bypassing detection by antivirus software.
*PowerShell scripts serve several key functions:*
The PowerShell scripts are central to the attack, facilitating the download of malicious extensions and the manipulation of browser settings.
They communicate with the C&C server, receiving instructions on which extensions to install, where to store downloaded files, and how to modify browser shortcuts. They also disable browser updates to maintain their persistence.
The attack culminates with a third-stage script that modifies browser DLLs (Dynamic Link Libraries) to hijack the default search engine.
This script identifies the browser's DLL files, changes specific bytes within them, and redirects search queries to the attacker's search portal, allowing them to control and monetize the user's search activity.
The forceful installation of these malicious extensions has caused significant frustration among users who find themselves unable to remove them. Many users mistakenly believe the issue lies within their browser and attempt to reinstall it, only to find the malicious extensions reappear.
The rise of malicious web extensions underscores the importance of user vigilance and proactive security measures. Users should be wary of downloading extensions from unknown sources and exercise caution when granting permissions.
Employing next-generation antivirus software and advanced endpoint security tools can provide robust defense against malware and other threats. However, the responsibility also lies with antivirus providers and endpoint security vendors to prioritize and address these emerging threats to protect their users effectively.
The malicious web extension campaign described in this article highlights the growing threat landscape surrounding browser extensions. Both users and security professionals must remain vigilant and take proactive steps to defend against these evolving threats. By staying informed and adopting robust security practices, we can mitigate the risks associated with malicious web browser extensions and safeguard our digital experiences.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation